Features : Radar Online : I-SPY

This is a nice article from May 2007 on some tools for privacy protection, and tools for doing on-line research / privacy invasion.

From The Magazine : Radar Online : Cory Doctorow imagines a world in which Google is evil

This is a wonderful short piece of fiction about the logical conclusion of our current path towards universal on-line data collection. The ultimate in paranoia fiction

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise

In a follow up to this post I wrote a few weeks ago, we now understand how the 1000 government email accounts were compromised. It turns out that he did it using TOR.

I have said for a long time that I am amazed that any one operates TOR servers other than government people and criminal/terrorist people. As the operator of a TOR server, you have access to the clear text of the data flowing through your server when you are the exit node (about 1/3 of the traffic typically). While the TOR documentation is clear about this vulnerability, it really understates it, and does not address what you should do about communicating with public services that do not provide an option to do end to end encryption of the information.

As a user of TOR, you are trusting the operators of the servers not to monitor your information. Dan Egerstad’s attack was simply to violate that trust. He actively monitored all of the traffic through his 5 TOR servers. He ran multiple servers to increase the amount of data he could collect. He identified the government accounts by searching the captured data for simple strings that would indicate the message was an email being sent or received in the clear, then further searching for key words that would indicate is was government or military related.

Many other TOR servers could currently be searching for financial, medical, trade secret, or other information.

With any privacy service, you need to trust the operators of that service. The theory was that you would not need to trust the operators of the TOR network. The reality is that, in real world use, you do have to trust them, but you typically know very little about them. There is almost no hurdle to establishing a new TOR server. Just about anyone with access to a server can set it up as a TOR server. You must assume that many of those people will not have your best interests at heart.

My personal approach is to work with people with a long track-record of trustworthy behavior. Anonymizer has been providing services for almost 12 years. I personally have been operating privacy services since 1992. In that time I have protected millions of people and billions of web pages and emails. Our track record for integrity is long and unblemished. I think that is the kind of basis one should use for deciding who to trust.

Yahoo seeks to dismiss China case - Yahoo! News

This is a really interesting legal case. Yahoo was sued in the US by people representing some Chinese journalists who were convicted in China of violating Chinese law. Yahoo’s involvement was to provide evidence from their logs and stored account data. The argument is that Yahoo should have resisted more and provided less information under US and International laws.

The people working for Yahoo in China are in a tough place because they could easily be arrested and held in contempt for failing to comply. Widespread corruption in China would almost certainly lead to extra-legal consequences for Yahoo if they resisted.

One might well criticize Yahoo for designing their systems in such a way as to be vulnerable to such foreseeable attempts to gather information on journalists and dissidents.

I think it is a mistake to trust such potentially damaging information to any company like Yahoo, Google, AOL, etc. International law will be a cold comfort if you are sitting in a jail somewhere. The only real solution is to take control of your own information. Use encryption, and anonymity to ensure that your information can not be handed over.